A typical data communications system comprises a network, one or more hosts connected to the network, and means by which one or more users may obtain the services of a host via the network, e.g., through a user terminal connected to the network via a telephone circuit. A host is an intelligent processor or device connected to a network that provides information and/or communications services to remote users through the network. A host contains control software and at least one database stored in its memory.
It is well known that data communications systems currently face a variety of security and privacy threats. One such threat, which is the subject of the invention herein, is that of unauthorized access to a host's database by a user. Once unauthorized access has been gained, unauthorized interception or modification of information in the database may occur. An intruder may, for example, obtain private or personal information about individuals; he may obtain confidential economic, market, or technical information on competitive organizations; or he may acquire restricted information of governmental agencies He may make additions and/or deletions to the database which have severe financial or other consequences. He may obtain the services of the host at no cost to him (the intruder) while incurring an erroneous charge to an authorized user.
One safeguard against unauthorized access is the password test. Under this scheme, a user is refused access by a host to a database unless the user provides a valid password, presumably the password preassigned to the user. Experience shows this method provides only limited protection. Password validation is vulnerable to systematic or random guessing of passwords. More recent password systems permit the user to proffer a password once or a small number of times in order to prevent multiple trials at guessing a valid password.
Another safeguard against unauthorized access is the identifier test. Under this scheme, the user generally is assigned a plastic card with a stripe of magnetic tape mounted on one side of the card. A unique identification number is magnetically encoded in the tape. The user generally does not know the identification number encoded in the card. In order to gain access to a database or a portion of a database, the user is required to insert the card into a device having means for reading the identification number from the card and transmitting the number to the host. Access is granted by the host only if the identification number is valid. This method may be employed in conjunction with a password test.
The identifier test used in conjunction with a password test offers substantially more security against unauthorized access than the password test alone. The identification number is not subject to guessing by third parties because the number can be entered only by means of the card. The user maintains security by retaining physical control of the card. Even if the card is misappropriated, the password test is an additional hurdle which must be overcome before unauthorized access may be gained. The identification number generally is a longer and more complex number or code than the password, so that the probability of guessing a valid identification number is less than that of guessing a valid password. Since the identification number is entered automatically, simplicity is not an advantage as is the case with a password which may be committed to human memory. The more complex identification number is an advantage in the case where a counterfeit card is used or electronically simulated.
In a data communications system, responsibility for security generally resides with the hosts. There may be varying levels of security between hosts or between different databases administered by a single host. The hosts generally possess user-specific information for billing and other administrative functions. In a public network, where access to the network is available to anyone having access to a terminal, there are even stronger reasons for assigning security responsibilities to the hosts.
Some hosts have no security measures against unauthorized access, not even password security measures. Even where password security exists, many hosts may be insecure It is often desirable to upgrade these hosts to the level of identifier security. The upgrade from no security to identifier security or from password security to identifier security generally requires a substantial revision of the host's control software. The typical host is heavily involved in providing information or other services to users and in maintaining its database. The task of revising its control software may not be well received by those responsible for the administration of a host, not only because the task is costly but also because it presents the specter of a possible disruption of the host's ability to provide services to its users.
It would constitute an advancement of the art if there were means by which a data communications system with a host having no security measures or password security measures could be upgraded to the level of identifier security, simply, inexpensively, and without requiring revision of existing software of the host or network.